The obligation to report applies to network operators engaged in constructing and operating networks within the territory of the People’s Republic of China, or those providing services via these networks (collectively referred to as “Operators”).
The Measures classify Operators with reporting obligations into three categories:
Central Governmental Entities: Central and state organs and their affiliated public institutions;
Critical information infrastructure operators (“CIIO”): The Operator of critical information infrastructure. The competent authorities and supervisory and management authorities of critical industries and fields are responsible for identifying CIIOs and informing them of their status; and
Other Operators.
Reporting to whom?
The Measures specify the regulatory authorities that each category of entity is required to report to.
No.
Type of Operator
Reporting Authorities
1
Central Governmental Entities
The functional branch responsible for network and information security within the sector-specific regulator; and
Public security authorities (if there is suspicion of crimes)
2
CIIOs
The competent authorities. supervisory and management authorities; and
Public security authorities
3
Other Operators
Local cyberspace administration;
Public security authorities (if there is suspicion of criminal activity); and
The Measures offer a succinct overview of the reporting process after a cybersecurity incident occurs:
Incident classification: Operators should classify the incident based on Annex 1 Cybersecurity Incident Classification Guide of the Measures, which categorises cybersecurity incidents into four levels from highest to lowest severity: extremely significant, significant, relatively significant, and general.
Initial report: Operators should implement appropriate security Measures and initiate reporting based on the classified level of the cybersecurity incident. The information should be included in the report and enterprises could rely on the Annex 2 Cybersecurity Incident Information Report Form of the Measures to the conduct report.
Supplementary report: If the cause, impact, or tendency of the incident cannot be determined during the initial report, or if new developments arise or significant progress is made in the investigation, Operators should submit a supplementary report.
Summary report: Once the incident has been resolved, Operators need to summarise and analyse, including the cause of the incident, contingency response Measures, harm, allocation of responsibilities, rectification status, lessons learned, etc.
Timeframe
The Measures specify different timeframes for three categories of reports.
Initial report: When relatively significant or extremely significant cybersecurity incidents occur, Operators shall report to the authorities within one hour. Considering the complexity of the reporting content, the 1-hour timeframe is extremely stringent for enterprises. Therefore, enterprises are recommended to formulate and implement contingency response plans, and ensure rapid identification of the facility, system, or platform where the security incident occurred.
Supplementary report: If applicable, Operators are required to submit a supplementary report within 24 hours.
Summary report: Operators need to summarise and analyse the incident within five working days and report to the authorities.
Next Steps, Impacts and Our Suggestions
The Measures has now completed its call for public comment, and the CAC will make further revisions based on the public comments. Although the exact timing of the release of the final version is uncertain, the issuance of the Measures indicates that enforcement activities related to cybersecurity incidents might become more frequent and stringent in the future.
We advise enterprises to continuously monitor further legislative developments and establish a comprehensive incident contingency response and reporting mechanism. It is recommended that enterprises conduct a prior mapping and prepare templates with basic information on each network and system in advance so that they can respond to incidents quickly and fulfil reporting obligations promptly. At the same time, enterprises should pay attention to the following aspects:
Establishing data security management policy, especially emergency plans related to cybersecurity incidents.
Conducting regular drills for cybersecurity incidents.
Strengthening employees’ awareness of cybersecurity and data security through regular training and other means.
Enhancing security risk detection during significant events, such as product launches, to prevent incidents like zero-day attacks.